Configuring AWS SMTP Over TLS

Your private security group must be enabled for AWS SMTP communication using Transport Layer Security (TLS). Refer to these sections to download SMTP certificates, enable TLS in Fusion, and enable the ports specified in Amazon documentation, Connecting to an Amazon SES SMTP endpoint.

• Downloading SMTP Certificates

• Importing or Updating AWS SES Certificates

• Enabling SMTP Over TLS in Fusion

Downloading SMTP Certificates

Follow these steps to download the root certificate authority (CA) for SMTP:

1. Log in to the bastion host machine.

2. Download the Starfield Services Root CA from https://good.sca0a.amazontrust.com/ to the /tmp/ directory.

3. Run the following command to rename the certificate file:

   mv <downloadedFile> /tmp/awssessmtp.cer

Importing or Updating AWS SES Certificates

Follow these steps to import and install AWS SES certificates into the Fusion User Managment TrustStore:

1. Export the certificate from your browser and into the fusion-user-management pod:

   kubectl cp /opt/certificates/awssessmtp.cer arcsight-installer-xxxx/fusion-user-management-xxxxxxxxx-xxxxx:/tmp -c hercules-management

2. Open a terminal in the currently running pod:

   kubectl exec -it fusion-user-management-xxxxxxxxx-xxxxx -n arcsight-installer-xxxx -c hercules-management sh

3. Change the directory to where the keytool command is located:

   cd /usr/lib/jvm/zulu-8/bin

4. Install the certificate:

   ./keytool -importcert -storepass $KEYSTORE_PASSWORD -destkeystore /usr/local/hercules/crt/mgmtTrustStore.bcfks -alias awssmtp -file /tmp/awssessmtp.cer -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /usr/lib/jvm/zulu-8/lib/ext/bc-fips-1.0.2.jar

5. Restart the fusion-user-managment pod. For more information, see Signing the External Communication Certificate with Your Certificate Authority

If an installed certificate expires, its path changes, or a fresh one is generated, you must reimport it. Follow these steps to reimport a certificate:

1. Export the certificate from your browser and into the fusion-user-management pod:

   kubectl cp /opt/awssessmtp.cer arcsight-installer-xxxx/saasum-fusion-user-management-xxxxxxxxx-xxxxx:/tmp -c hercules-management

2. Open a terminal in the currently running pod:

   kubectl exec -it fusion-user-management-xxxxxxxxx-xxxxx -n arcsight-installer-xxxx -c hercules-management sh

3. Change the directory to where the keytool command is located:

   cd /usr/lib/jvm/zulu-8/bin

4. Install the certificate:

   ./keytool -importcert -storepass $KEYSTORE_PASSWORD -destkeystore /usr/local/hercules/crt/mgmtTrustStore.bcfks -alias awssmtp -file /tmp/awssessmtp.cer -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /usr/lib/jvm/zulu-8/lib/ext/bc-fips-1.0.2.jar

5. Restart the fusion-user-managment pod. For more information, see Signing the External Communication Certificate with Your Certificate Authority

For more information, see Connecting to an Amazon SES SMTP endpoint.

Enabling SMTP Over TLS in Fusion

This section includes information for enabling AWS secure SMTP communication in Fusion.

To configure SMTP for Fusion:

1. Log in to the CDF Management Portal.

2. Select Reconfigure in the Kebab Menu and navigate to Fusion > User Management Configuration.

3. Configure SMTP:

   1. SMTP TLS Enable (Enable it for TLS, or disable it for non-TLS.)

   2. Add the SMTP host URL.

   3. Add the SMTP port number(s). (For TLS or non-TLS)

   4. Enter the SMTP Admin name.

   5. Enter the SMTP Admin password.

   6. Add the SMTP Admin email address.

   7. Click Save to activate the configuration changes.

      This will automatically restart application pods that offer email service.